Field of the Invention
The present invention generally relates to the field of telecommunications, telecommunication devices, telecommunication networks and online services. In particular, the present invention relates to an authentication system and method for a user to safely access online services (i.e., services made available by service providers accessible through a packet data network like the Internet or an intranet), which he/she has subscribed (hereinafter, these online services are also referred to as dedicated services). More specifically, the present invention relates to an authentication system and method for simply and effectively enforcing authorized access to dedicated services from mobile devices regardless of the communication network used to access such dedicated services and the service provider providing such dedicated service.
Overview of the Related Art
An increasing number of online services are made accessible by service providers over the Internet. Many online services (e.g., e-mail, online newspapers, online banking, e-commerce services, music or video download or streaming, TV or video on demand etc.) require user authentication at each access to securely identify users and enable access only to users who subscribed to the specific service or otherwise possess the right user conditions to access the service.
The widespread diffusion of communication devices, particularly mobile communication devices such as smartphones, tablets, mobile connected PCs, etc., capable of accessing a plurality of telecommunication networks at once, especially packet data networks, through different radio access technologies like GPRS-EDGE or HSDPA-HSUPA over 2G-3G mobile (cellular) phone networks, 4G mobile phone networks, and Wi-Fi® wireless networks, and/or through wired access technologies (e.g. via ADSL modems or Ethernet connections) has brought forth the problem of how to enforce an authentication process that allows users to safely access their dedicated services automatically or with minimal user intervention, irrespective of the telecommunication network used to access the service.
Indeed, different telecommunication networks implement different (if any) authentication systems and/or have different security levels during the transmissions of signals.
Mobile (cellular) phone/data networks typically comprise a safe and transparent-to-the-user authentication system (hereinafter also referred to as “mobile authentication”) for access to online services relying on the network-based authentication of MSISDN (Mobile Subscriber ISDN Number) identification and use encrypted transmissions. The MSISDN is a univocal code, known to the user, associated with a user subscription and with a user's SIM (Subscriber Identity Module). It is used for identification of the user in the telephone and data services provided by the mobile network and allows to safely and unambiguously identifying a user requesting access to a subscribed service through the mobile phone network. An online service made available by a service provider through a mobile portal, reachable through the mobile phone/data network, can be easily, safely and automatically accessed by the user over the mobile phone network (without the need for the user to input access credentials) because the MSISDN (whose level of trust is guaranteed by the mobile phone network) can be transferred by the mobile phone network to the service provider through suitable and secure techniques (for example via well known practices of http header enrichment or suitable APIs providing the service provider with the MSISDN corresponding to a specific IP address assigned by the mobile network to the communication device).
On the other hand, communications through PDNs (Packet Data Networks), and particularly wireless PDNs such as for example WPAN, WLAN, WMAN, WWAN—Wireless Personal, Local, Metropolitan, and Wide Area Network, respectively—, also known as Wi-Fi® networks, are relatively unsafe. Indeed, the communications over PDNs do not have the intrinsic access and transmission security level featured by mobile phone networks and in general require a specific user authentication system to authenticate the user. For example, the most common wireless encryption-standards, Wired Equivalent Privacy (WEP) and Wi-Fi® Protected Access (WPA and WPA2) have been shown to be breakable. Moreover, PDNs do not comprise a univocal identifier for users accessing the same, and the user authentication is usually performed by means of static passwords or temporary passwords (such as OTPs—One Time Passwords) both requiring also a certain degree of user intervention at each access.
Since communication devices are capable of accessing a plurality of telecommunication networks at once, and are often set (e.g. by the user) for automatically selecting the telecommunication network to be used to access the dedicated services usually according to economic and/or transmission speed criteria, such a lack of uniformity in the user authentication, and related safety or trust level, among different telecommunication networks results in an inability of the online service providers and/or the telecommunication network operators to extend the use of mobile authentication when users access services via Wi-Fi® and/or require additional complexity for ensuring uniform user authentication for online services.
In the art, some solutions have been proposed for relieving such issue.
For example, the EAP-SIM (Extensible Authentication Protocol) technique in GSM-type networks is used for authentication and session key distribution using the SIM to carry out user authentication. EAP-SIM uses a SIM authentication algorithm between the client and an Authentication, Authorization and Accounting server providing mutual authentication between the client and the network. EAP-SIM is for example described in detail in RFC 4186.
WO 01/72009 discloses a method and apparatus for a single sign-on method and system for accessing a plurality of services distributed over a network in which authentication-related functionality is separated from the services, and in which authentication needs not be renegotiated for access to a new service from the plurality of services during a session. A notification of the plurality of services when a user has terminated a session, and the use of secure, short-lived authentication tokens to verify a user's identity for subsequent access to the plurality of services are used. The method comprises receiving a request from a user for authorization to access a service; transmitting a token corresponding to the service to the user; receiving the token corresponding to the service from the user; determining whether the user is authorized to receive the service based on the token; and connecting the user to the service, if the user is authorized to use the service.
WO 01/17310 discloses a communication method and apparatus that apply GSM security principles to authenticate users who are requesting access to packet data networks. The authentication process is triggered by an authenticating entity when it needs to verify the identity of a user trying to access certain resources, e.g., an application of a network. The authenticating entity sends an authentication request to an authentication server. The authentication server checks whether the user's identity corresponds to a known user. If so, the authentication server generates an authentication token that is sent to the user via an access network and a remote host. The authentication server uses a secure communication link, via a wireless network, to request the user to send the authentication token back to the authentication server via the secure communication link over a public land mobile network. Once the user sends the authentication token back to the authentication server via the secure channel, the authentication server compares the authentication token sent to the user and received from the user through the secure communication link. If the authentication tokens match, the authentication server instructs the authenticating entity to grant the user access to the requested services. If the authentication tokens do not match, the user will be denied access to the requested services.
US 2009/0228966 discloses an authentication method in which a token is associated with a mobile device and a user of a remote computer, it is established that the token at the mobile device and remote computer match and the token at the mobile device and remote computer is updated during a connection. Preferably, a two factor authentication method is employed in which password authentication is the second factor.
US 2011/249079 discloses transitioning between an audio only circuit switched call and a video call. A client device, which is currently connected to one or more other client devices through an established audio only circuit switched call, receives input from a user to transition from the audio only circuit switched call to the video call. A video call invitation message is transmitted to the other client devices. The client device receives a video call accept message from the other client devices and begins transmitting video captured by its front facing camera to the other client devices. Responsive to receiving at least a video frame from each of the one or more other client devices, the client device transitions from the audio only circuit switched call to the video call. After transitioning to the video call, the circuit switched call is dropped.
WO 2013/067601 discloses a method for transmitting an encrypted message from a messaging server to a handset comprising the steps of receiving, at the messaging server and from a sender computer, a message to be sent to the handset and a handset identifier associated with the handset and determining that the handset is not registered with the messaging server by determining that the handset identifier does not have an associated handset encryption key stored at the messaging server. The handset is registered by sending a notification to the handset requesting registration, receiving back a handset encryption key associated with the handset identifier; and storing the handset encryption key against the handset identifier at the messaging server which is to be used to encrypt the received message before sending. Prior to registering the handset, intermediate encryption of the message may be employed to create an intermediate encrypted message to be stored at the messaging server.